Example 1.4 – Specifying SIDs

An improved version of the previous example: ‘administrators’ is a built-in group, whose name is dependent on the language of the operating system. Therefore it is better to use its well-known SID which never changes.

Example 1.7 – Cleaning up ACLs

Same as the previous example, but first (see ordering of actions in the documentation) the DACL and SACL are cleared of any non-inherited entries, and then the specified ACEs are set. This effectively ‘cleans up’ messed-up ACLs.

Same as the previous example, but even more housekeeping is done. Propagation of inherited permissions is enabled for all sub-objects whose permissions are also reset, resulting in only the specified permissions being active for a whole directory tree.

Example 1.12 – Setting the Owner

Resets a whole directory tree to what most administrators dream of: the owner of all files and directories is set to the group ‘administrators’ and the flag ‘allow inheritable permissions from the parent object to propagate to this object’ is enabled for all object’s DACLs; the SACLs are left unchanged.

Example 2 – Listing and Backup

Creates a complete listing of DACL, SACL, owner and primary group in SDDL format of the directory ‘\\server1\share1\users’ and all sub-folders. The listing is stored in unicode format in the backup file specified.

Example 4 – Copying Permissions Between Users

This command copies all ACEs belonging to ‘domain1\user1′ to ‘domain2\user2′ resulting in a duplication of permissions: after the process domain2\user2 has the same permissions as domain1\user1. This might be useful in a migration scenario where users from domain1 are migrated (copied) to domain2.

Example 5 – Migrating Permissions Between Domains

This is useful in a domain migration scenario where users from domain1 are migrated (copied) to domain2. This command replaces all SIDs belonging to users/groups from domain1 with SIDs of users/groups with the same names from domain2 resulting in a replacement of permissions: after the process domain2\user1 has the permissions domain1\user1 previously had.